Friday, April 20, 2007

WebAttacker is dead, long live WebAttacker

Hi folks,

Anyone who has read my blog knows that I thought WebAttacker was an interesting bit of software. For those who haven't read my blog, WebAttacker was a Russian-built canned-exploit package. For a few hundred bucks, you too Mr Lamer could be a Malicious Webmeister by adding WebAttacker to your website. Each month, the WA authors would add the best new exploits to their package, and provide an update to their clients. The wheels started to fall off for them in September 2006, when their attempt to add the vml 0-day failed miserably, and they failed again the next month to add the October 0-day (XML exploit, from memory). They made no attempt that I could find to release an update after that, and I decided that they went the way of all software developers whose products failed.

At about the same time, we began to find what we called the Q4-06 Exploit Rollup Package. This was a javascript containing all the nifty exploits from September and October 2006 (SetSlice, VML, MS06-042, XML, Daxctle), sometimes in plain text, and sometimes encrypted. Being available as plain javascript, it was free, easy to modify and was quickly and widely adopted.

There was one version, however, that stood out from the others, principally because it was well encrypted, _and_ it tracked visiting ips, ala WebAttacker. If you came back to the same exploit website,from the same machine, it would refuse to re-serve the exploit, and would instead display "Sorry! You ip is blocked." (Yes, bad grammer and all). We have long seen that specific error message associated with a particular exploit hub in Russia (Stela-something ... those who know, know who we mean) , and it was no surprise to see them upgrade to the newest exploits, but the kicker is this...

We now see that exact error message coming from _many_ exploit websites. That means that the backend part of this is finding its way to other websites. That's significant. You can easily copy the client portion, but you cannot get hold of the server part unless someone wants you to. Either the Stela folks have been hacked themselves... or _they're_ selling the package, perhaps to fill the void left by the WebAttacker departure! Hence WebAttacker is dead, long live WebAttacker.